allow ima to be opt-in like in f14
This commit is contained in:
parent
9d066c5537
commit
c1c4696c55
142
ima-allow-it-to-be-completely-disabled-and-default-off.patch
Normal file
142
ima-allow-it-to-be-completely-disabled-and-default-off.patch
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
From 785465d9cffd65b5a69dd2f465d2f7c917713220 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kyle McMartin <kyle@mcmartin.ca>
|
||||||
|
Date: Mon, 18 Oct 2010 13:30:39 -0400
|
||||||
|
Subject: [PATCH] ima: provide a toggle to disable it entirely
|
||||||
|
|
||||||
|
Signed-off-by: Kyle McMartin <kyle@redhat.com>
|
||||||
|
---
|
||||||
|
security/integrity/ima/ima.h | 1 +
|
||||||
|
security/integrity/ima/ima_iint.c | 9 +++++++++
|
||||||
|
security/integrity/ima/ima_main.c | 24 +++++++++++++++++++++---
|
||||||
|
3 files changed, 31 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
|
||||||
|
index afba4ae..3d191ef 100644
|
||||||
|
--- a/security/integrity/ima/ima_iint.c
|
||||||
|
+++ b/security/integrity/ima/ima_iint.c
|
||||||
|
@@ -54,6 +54,9 @@ int ima_inode_alloc(struct inode *inode)
|
||||||
|
struct ima_iint_cache *iint = NULL;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
|
||||||
|
if (!iint)
|
||||||
|
return -ENOMEM;
|
||||||
|
@@ -116,6 +119,9 @@ void ima_inode_free(struct inode *inode)
|
||||||
|
{
|
||||||
|
struct ima_iint_cache *iint;
|
||||||
|
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
spin_lock(&ima_iint_lock);
|
||||||
|
iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
|
||||||
|
spin_unlock(&ima_iint_lock);
|
||||||
|
@@ -139,6 +145,9 @@ static void init_once(void *foo)
|
||||||
|
|
||||||
|
static int __init ima_iintcache_init(void)
|
||||||
|
{
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
iint_cache =
|
||||||
|
kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
|
||||||
|
SLAB_PANIC, init_once);
|
||||||
|
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
|
||||||
|
index e662b89..6e91905 100644
|
||||||
|
--- a/security/integrity/ima/ima_main.c
|
||||||
|
+++ b/security/integrity/ima/ima_main.c
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
#include "ima.h"
|
||||||
|
|
||||||
|
int ima_initialized;
|
||||||
|
+int ima_enabled;
|
||||||
|
|
||||||
|
char *ima_hash = "sha1";
|
||||||
|
static int __init hash_setup(char *str)
|
||||||
|
@@ -36,6 +37,14 @@ static int __init hash_setup(char *str)
|
||||||
|
}
|
||||||
|
__setup("ima_hash=", hash_setup);
|
||||||
|
|
||||||
|
+static int __init ima_enable(char *str)
|
||||||
|
+{
|
||||||
|
+ if (strncmp(str, "on", 2) == 0)
|
||||||
|
+ ima_enabled = 1;
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+__setup("ima=", ima_enable);
|
||||||
|
+
|
||||||
|
struct ima_imbalance {
|
||||||
|
struct hlist_node node;
|
||||||
|
unsigned long fsmagic;
|
||||||
|
@@ -148,7 +157,7 @@ void ima_counts_get(struct file *file)
|
||||||
|
struct ima_iint_cache *iint;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- if (!ima_initialized || !S_ISREG(inode->i_mode))
|
||||||
|
+ if (!ima_enabled || !ima_initialized || !S_ISREG(inode->i_mode))
|
||||||
|
return;
|
||||||
|
iint = ima_iint_find_get(inode);
|
||||||
|
if (!iint)
|
||||||
|
@@ -215,7 +224,7 @@ void ima_file_free(struct file *file)
|
||||||
|
struct inode *inode = file->f_dentry->d_inode;
|
||||||
|
struct ima_iint_cache *iint;
|
||||||
|
|
||||||
|
- if (!ima_initialized || !S_ISREG(inode->i_mode))
|
||||||
|
+ if (!ima_enabled || !ima_initialized || !S_ISREG(inode->i_mode))
|
||||||
|
return;
|
||||||
|
iint = ima_iint_find_get(inode);
|
||||||
|
if (!iint)
|
||||||
|
@@ -269,7 +278,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
- if (!file)
|
||||||
|
+ if (!ima_enabled || !file)
|
||||||
|
return 0;
|
||||||
|
if (prot & PROT_EXEC)
|
||||||
|
rc = process_measurement(file, file->f_dentry->d_name.name,
|
||||||
|
@@ -294,6 +303,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
rc = process_measurement(bprm->file, bprm->filename,
|
||||||
|
MAY_EXEC, BPRM_CHECK);
|
||||||
|
return 0;
|
||||||
|
@@ -313,6 +325,9 @@ int ima_file_check(struct file *file, int mask)
|
||||||
|
{
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
rc = process_measurement(file, file->f_dentry->d_name.name,
|
||||||
|
mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
|
||||||
|
FILE_CHECK);
|
||||||
|
@@ -324,6 +339,9 @@ static int __init init_ima(void)
|
||||||
|
{
|
||||||
|
int error;
|
||||||
|
|
||||||
|
+ if (!ima_enabled)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
error = ima_init();
|
||||||
|
ima_initialized = 1;
|
||||||
|
return error;
|
||||||
|
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
|
||||||
|
index 47fb65d..8919c4e 100644
|
||||||
|
--- a/security/integrity/ima/ima.h
|
||||||
|
+++ b/security/integrity/ima/ima.h
|
||||||
|
@@ -36,6 +36,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
|
||||||
|
|
||||||
|
/* set during initialization */
|
||||||
|
extern int ima_initialized;
|
||||||
|
+extern int ima_enabled;
|
||||||
|
extern int ima_used_chip;
|
||||||
|
extern char *ima_hash;
|
||||||
|
|
@ -870,6 +870,8 @@ Patch13800: xfs-track-ags-with-reclaimable-inodes-in-per-ag-radix-tree.patch
|
|||||||
Patch13801: xfs-simplify-and-remove-xfs_ireclaim.patch
|
Patch13801: xfs-simplify-and-remove-xfs_ireclaim.patch
|
||||||
Patch13802: xfs-properly-account-for-reclaimed-inodes.patch
|
Patch13802: xfs-properly-account-for-reclaimed-inodes.patch
|
||||||
|
|
||||||
|
Patch13900: ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||||
@ -1660,6 +1662,9 @@ ApplyPatch xfs-track-ags-with-reclaimable-inodes-in-per-ag-radix-tree.patch
|
|||||||
ApplyPatch xfs-simplify-and-remove-xfs_ireclaim.patch
|
ApplyPatch xfs-simplify-and-remove-xfs_ireclaim.patch
|
||||||
ApplyPatch xfs-properly-account-for-reclaimed-inodes.patch
|
ApplyPatch xfs-properly-account-for-reclaimed-inodes.patch
|
||||||
|
|
||||||
|
# disable IMA by default as we did in F-14
|
||||||
|
ApplyPatch ima-allow-it-to-be-completely-disabled-and-default-off.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2281,6 +2286,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 29 2010 Kyle McMartin <kyle@redhat.com>
|
||||||
|
- Make ima an opt-in parameter like we did in F-14. Pass ima=on if you want
|
||||||
|
it enabled.
|
||||||
|
|
||||||
* Mon Nov 29 2010 Kyle McMartin <kyle@redhat.com>
|
* Mon Nov 29 2010 Kyle McMartin <kyle@redhat.com>
|
||||||
- Backport XFS fixes for the kernel.org xfs boog. [4d4e307a]
|
- Backport XFS fixes for the kernel.org xfs boog. [4d4e307a]
|
||||||
Needed two other backports to simplify life.
|
Needed two other backports to simplify life.
|
||||||
|
Loading…
Reference in New Issue
Block a user